Targeted Ransomware Attacks Hit Several Spanish Companies

Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely.

Ransomware is a computer virus that encrypts files on an infected system until a ransom is paid.

According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying:

“We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated.”

“Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems.”

According to cybersecurity consultant Arnau Estebanell Castellví, the malware encrypted files on Everis’s computers with an extension name resembling the company’s name, i.e., “.3v3r1s,” which suggests the attack was highly targeted.

At this moment, it’s unknown which specific ransomware family was used to target the company, but the attackers behind the attack reportedly demanded €750,000 (~USD 835,000) in ransom for the decryptor, a company insider informed bitcoin.es site.

However, considering the highly targeted nature of the attack, the founder of VirusTotal in a tweet suggests the type of ransomware could be BitPaymer/IEncrypt, the same malware that was recently found exploiting a zero-day vulnerability in Apple’s iTunes and iCloud software.

Here’s the ransomware message that was displayed on the screens of the infected computers across the company:

Hi Everis, your network was hacked and encrypted.No free decryption software is available on the web.Email us at [email protected] or [email protected] to get the ransom amount.Keep our contacts safe.Disclosure can lead to the impossibility of decryption.

What’s more? It seems like Everis is not the only company that suffered a ransomware attack this morning.

Some other Spanish and European companies have reportedly also been hit by a similar ransomware malware during the same period, of which the national radio network La Cadena SER has confirmed the cyber attack.

“The SER chain has suffered this morning an attack of a computer virus of the ransomware type, file encrypter, which has had a serious and widespread affectation of all its computer systems,” the company said.

“Following the protocol established in cyberattacks, the SER has seen the need to disconnect all its operating computer systems.”

The company has also informed that its “technicians are already working for the progressive recovery of the local programming of each of their stations.”

At the time of writing, it’s unclear if the hackers behind these ransomware attacks are the same, how the malware infiltrated the companies in the first place and did it contain wormable capabilities to successfully spread itself across the network.

Though it’s unconfirmed, some people familiar with the incident also suspect attackers might have used the BlueKeep RDP vulnerability to compromise the company’s servers, whose first mass exploitation activity was spotted in the wild just yesterday in a separate campaign.

The Hacker News is in contact with some of the targeted company’s employees and will update you with more information about the incident shortly.

Meanwhile, the Spanish Department of Homeland Security has also issued a warning about the ongoing cyber attack and recommended users to follow basic security practices like keeping their systems updated and having a proper backup of their important data.